A device may include one or more input components and one or more processors to: receive network entity data for a network entities operating on a network, the network entity data indicating network entity attributes associated with the network entities. The device may generate a map of the network entities based on the network entity data, the map of the network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities. In addition, the device may identify a network entity relationship rule based on the map of the network entities and perform an action based on the network entity relationship rule.
|
9. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to:
receive network entity data for a plurality of network entities operating on a network,
the network entity data indicating network entity attributes associated with the plurality of network entities;
generate a map of the plurality of network entities based on the network entity data,
the map of the plurality of network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities,
the relationship indicating, for the network entity and a particular network entity of the at least one other network entity, one of:
the network entity is a component of the particular network entity,
the network entity and the particular network entity comprise components that share a same component type, or
the particular network entity is a component of the network entity;
automatically determine a network entity relationship rule based on the map of the plurality of network entities and based on historical network rules associated with another network,
the network entity relationship rule including:
criteria for matching traffic information, and
one or more security actions to be performed when network traffic matches the criteria;
generate, based on the network entity relationship rule, a plurality of security rules,
each of the plurality of security rules specifying at least one of the plurality of network entities; and
provide the plurality of security rules to a network device operating on the network.
1. A device, including,
one or more input components; and
one or more processors, implemented at least partially in hardware, to:
receive, via at least one of the one or more input components, network entity data for a plurality of network entities operating on a network,
the network entity data indicating network entity attributes associated with the plurality of network entities;
generate a map of the plurality of network entities based on the network entity data,
the map of the plurality of network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities,
the relationship indicating, for the network entity and a particular network entity of the at least one other network entity, one of:
the network entity is a component of the particular network entity,
the network entity and the particular network entity comprise components that share a same component type, or
the particular network entity is a component of the network entity;
automatically determine a network entity relationship rule based on the map of the plurality of network entities and based on historical network rules associated with another network,
the network entity relationship rule including:
criteria for matching traffic information, and
one or more security actions to be performed when network traffic matches the criteria; and
perform an action based on the network entity relationship rule,
where the one or more processors, when performing the action based on the network entity relationship rule, are to:
translate the network entity relationship rule into a plurality of security rules using the map of the plurality of network entities.
15. A method comprising:
receiving, by a network management device, network entity data for a plurality of network entities operating on a network,
the network entity data indicating network entity attributes associated with the plurality of network entities;
generating, by the network management device, a map of the plurality of network entities based on the network entity data,
the map of the plurality of network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities,
the relationship indicating, for the network entity and a particular network entity of the at least one other network entity, one of:
the network entity is a component of the particular network entity,
the network entity and the particular network entity comprise components that share a same component type, or
the particular network entity is a component of the network entity;
automatically determining, by the network management device, a network entity relationship rule based on the map of the plurality of network entities and based on historical network rules associated with another network,
the network entity relationship rule including:
criteria for matching traffic information, and
one or more security actions to be performed when network traffic matches the criteria;
generating, by the network management device and based on the network entity relationship rule, a plurality of security rules,
each of the plurality of security rules specifying a firewall rule applicable to at least one of the plurality of network entities; and
providing, by the network management device, the plurality of security rules to a network firewall device operating on the network.
2. The device of
identify, using the map of the plurality of network entities and the network entity relationship rule, at least two network entities of the plurality of network entities; and
include, in at least one of the plurality of security rules, information regarding each of the at least two network entities.
3. The device of
provide the plurality of security rules to a network device operating on the network to cause the network device to implement the one or more security rules.
4. The device of
provide the network entity relationship rule to a network device operating on the network to cause the network device to implement the network entity relationship rule.
5. The device of
provide data causing a user prompt to display data indicating the network entity relationship rule, and
where the one or more processors are further to:
receive user input based on the user prompt.
6. The device of
apply the network entity relationship rule to a network device operating on the network based on the user input,
the network device including a firewall, and
the network entity relationship rule indicating one or more security rules applicable to the firewall.
7. The device of
identify multiple network entities, from the plurality of network entities, based on the criteria for matching traffic information; and
identify device identifiers for the multiple network entities; and
where the one or more processors, when translating the network entity relationship rule into the plurality of security rules, are to:
translate, based on the device identifiers, the network entity relationship rule into respective security rules for the multiple network entities.
8. The device of
the plurality of security rules includes a particular security rule,
the particular security rule indicating that network traffic between the network entity and the particular network entity is to be permitted.
10. The non-transitory computer-readable medium of
a description of the network entity;
a type associated with the network entity;
an application associated with the network entity;
a network address of the network entity;
an organization associated with the network entity;
a host device associated with the network entity;
an operating system associated with the network entity;
a geographic location associated with the network entity;
a user associated with the network entity; or
a user group associated with the network entity.
11. The non-transitory computer-readable medium of
receive data identifying a new network entity operating on the network and associated with the plurality of network entities; and
generate, based on the network entity relationship rule and the new network entity, at least one new security rule.
12. The non-transitory computer-readable medium of
provide the network device with the at least one new security rule.
13. The non-transitory computer-readable medium of
receive data indicating that another particular network entity of the plurality of network entities is no longer operating on the network; and
generate, based on the network entity relationship rule and the plurality of network entities operating on the network, one or more new security rules.
14. The non-transitory computer-readable medium of
provide the network device with data causing the network device to replace the plurality of security rules with the one or more new security rules.
16. The method of
identifying a change in the network entity relationship rule; and
generating at least one new security rule based on the change in the network entity relationship rule.
17. The method of
providing the at least one new security rule to the network firewall device.
18. The method of
automatically determining the network entity relationship rule further based on the network entity attributes associated with the plurality of network entities.
19. The method of
automatically determining the network entity relationship rule further based on rule data received from a third party.
20. The method of
generating the plurality of security rules based on the criteria for matching traffic information and based on the one or more security actions to be performed when network traffic matches the criteria.
|
Network devices, such as routers, switches, firewalls, or the like, often handle network traffic in the form of network packets (e.g., data packets) that are transmitted between network entities (e.g., devices operating on a network). In some situations, network devices may implement security rules designed to protect various network entities from a variety of potential threats, such as malware, hacking attempts, denial of service attacks, unauthorized access, or the like. Security rules often cause network devices to inspect network traffic, including individual network packets, to determine whether potential threats exist and, if so, how the network packets should be handled.
In some aspects, a device may include one or more input components; and one or more processors to: receive, via at least one of the one or more input components, network entity data for a plurality of network entities operating on a network, the network entity data indicating network entity attributes associated with the plurality of network entities; generate a map of the plurality of network entities based on the network entity data, the map of the plurality of network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities; identify a network entity relationship rule based on the map of the plurality of network entities; and perform an action based on the network entity relationship rule.
In some aspects, a non-transitory computer-readable medium may store instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: receive network entity data for a plurality of network entities operating on a network, the network entity data indicating network entity attributes associated with the plurality of network entities; generate a map of the plurality of network entities based on the network entity data, the map of the plurality of network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities; identify a network entity relationship rule based on the map of the plurality of network entities; generate, based on the network entity relationship rule, a plurality of security rules, each of the plurality of security rules specifying at least one of the plurality of network entities; and provide the plurality of security rules to a network device operating on the network.
In some aspects, a method comprises: receiving, by a network management device, network entity data for a plurality of network entities operating on a network, the network entity data indicating network entity attributes associated with the plurality of network entities; generating, by the network management device, a map of the plurality of network entities based on the network entity data, the map of the plurality of network entities defining, for each network entity included in the map of the plurality of network entities, a relationship between the network entity and at least one other network entity included in the plurality of network entities; identifying, by the network management device, a network entity relationship rule based on the map of the plurality of network entities; generating, by the network management device and based on the network entity relationship rule, at least one security rule, each of the at least one security rule specifying a firewall rule applicable to at least one of the plurality of network entities; and providing, by the network management device, the at least one security rule to a network firewall device operating on the network.
The following detailed description of example implementations refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements.
Network devices, such as switches, routers, firewalls, or the like, often use security rules to filter or otherwise take action on network packets that are handled by the network devices in the course of forwarding and/or routing the network packets to their intended destination. The security rules are typically created by network administrators and often include a large quantity of rules to be applied, especially as the number of network entities (e.g., hardware devices and software applications operating on a network) and/or security policies increase. The security rules may be implemented, for example, in a table that is processed top-down by a network device, with the first matching security rule being processed. Due to the manner in which security rules are often implemented, the tables that include the security rules may become very large and difficult for an administrator to understand and/or manage. By way of example, a large network deployment, such as a wide area network, large local area network, and/or cloud computing network, may include thousands of network entities, such as applications deployed in data centers, and each application may be associated with multiple network entities, including application components, such as web servers, reporting servers, databases, or the like. The number of security rules that might be applicable in this example situation may be difficult to manage and/or understand, which may result in potential flaws in network security and/or inefficient network management.
Some implementations, described herein, provide a network management device that is capable of using network entity attributes (e.g., attributes indicating various aspects of software and/or hardware devices operating on a network) to generate a network entity map that can be used to create network entity relationship rules (“network rules”) that are relatively simple to understand and that can be easily converted to security rules (e.g., rules that may be applied by network devices, such as firewall rules that may be applied by a firewall) and applied to various network devices capable of implementing the security rules on network traffic to and from network entities operating on the network. For example, the network management device may, using network entity attributes, generate a network entity map that identifies relationships between network entities associated with a network managed by the network management device. Using the relationships identified in the network entity map, the network management device may enable the creation of network rules that are based on the relationships between network entities. The network rules may then be converted to security rules that may be provided to the appropriate network devices for implementing the security rules on network traffic through the network managed by the network management device.
In this way, the ability for a network management device to generate a network entity map and enable creation of network rules may greatly simplify the understanding of security rules in use by network devices and greatly reduce the number of security rules that are manually entered and managed. In addition, network rules may automatically handle security rule updates and changes in situations where network entities change (e.g., the addition and/or removal of a network entity from the network), as network rules may be defined to automatically include or exclude network entities that are added or removed based on their network attributes and relationships with other network entities. Furthermore, changes to a large number of security rules may be implemented by changing a single network rule. Resources, including computing resources and human administrator resources, may be conserved by using a network management device such as the one described herein, e.g., by reducing the amount of time, power, processing resources, memory resources, and/or the like, which might otherwise be used when a network administrator manually manages security rules.
As used herein, a network packet may refer to a communication structure for communicating information, such as a protocol data unit (PDU), a packet, a frame, a datagram, a segment, a message, a block, a cell, a frame, a subframe, a slot, a symbol, a portion of any of the above, and/or another type of formatted or unformatted unit of data capable of being transmitted via a network.
As shown in
As further shown in
As further shown in
As further shown in
As further shown in
The example network rules 160 (e.g., rules 1 through N) depict an example rule generated based on the relationships between network entities. As noted above, and described in further detail below, these rules may have been generated automatically or based on administrator input. Example rule 1 indicates that network traffic should be permitted in a situation where both the source and destination of the network traffic are application components (e.g., network entity type APP_COMPONENT) and the source and destination of the network traffic belong to the same parent application. Additionally, in this example, the network rule indicates that the rule should be applied to datacenter firewalls.
The example security rules 170 (e.g., rules 1 through M) depict example security rules generated based on the network rule (e.g., network rule 1, above). The first security rule indicates, for example, that network traffic should be permitted at datacenter firewalls where the source of the network traffic is Fin_Web_Server and the destination of the network traffic is Fin_DB_Server. The second security rule indicates that network traffic should be permitted at datacenter firewalls where the source of the network traffic is Fin_DB_Server and the destination of the network traffic is Fin_Web_Server. The foregoing security rules may be generated, for example, because both Fin_DB_Server and Fin_Web_Server are application components, and Fin_DB_Server and Fin_Web_Server both belong to the same parent application (e.g., Finance_Application), as indicated in the network entity attributes 150. Similarly, the third security rule indicates that network traffic should be permitted at datacenter firewalls where the source of the network traffic is HR_Web_Server and the destination of the network traffic is HR_DB_Server. The fourth security rule indicates that network traffic should be permitted at datacenter firewalls where the source of the network traffic is HR_DB_Server and the destination of the network traffic is HR_Web_Server. The third and fourth security rules may also have been generated based on the example network rule and the network entity attributes, which indicate that HR_DB_Server and HR_Web_Server are application components that belong to the same parent application (e.g., HR_Application). In this example, four security rules were generated based on a single network rule and the entity attributes.
In this way, the ability for a network management device to generate a network entity map and enable creation of network rules may greatly simplify the understanding of security rules in use by network devices and greatly reduce the number of security rules that are manually entered and managed. In addition, network rules may automatically handle security rule updates and changes in situations where network entities change (e.g., the addition and/or removal of a network entity from the network), as network rules may be defined in a manner that includes or excludes network entities that are added or removed based on their network attributes and relationships with other network entities. Furthermore, changes to a large number of security rules may be implemented by changing a single network rule. Resources, including computing resources and human administrator resources, may be conserved by using a network management device such as the one described herein, e.g., by reducing the amount of time, power, processing resources, memory resources, and/or the like, which might otherwise be used when a network administrator manually manages security rules.
As indicated above,
Network entities 210 include one or more applications and/or one or more devices capable of receiving, generating, storing, processing, and/or providing information associated with network traffic. In some implementations, network entity 210 may include an application, such as a software application implemented by one or more computing devices, a software application deployed in a cloud computing environment, or the like. In some implementations, network entity 210 may include a communication and/or computing device, such as a mobile phone (e.g., a smart phone, a radiotelephone, etc.), a laptop computer, a tablet computer, a handheld computer, a gaming device, a wearable communication device (e.g., a smart wristwatch, a pair of smart eyeglasses, etc.), an IoT device, a personal computer, a server computer, a virtual machine executing on a computer device, or a similar type of device. Network entity 210 may correspond to a variety of attributes that define any number of things relevant to the network entity 210, such as attributes identifying an entity type, an entity identifier, an associated application, an associated organization, a network address, or the like. In some implementations, network entity 210 may include a variety of applications, such as a web browsing application, entertainment application, communications application, or the like, for generating internet protocol packets to be transmitted to and/or received from other devices and/or network entities (e.g., other network entities 210, network devices 220, or the like) via a network (such as network 240).
Network devices 220 include one or more devices capable of receiving, generating, storing, processing, and/or providing information related to network traffic. For example, network device 220 may include a firewall, a router, a gateway, a switch, a hub, a bridge, a reverse proxy, a server (e.g., a proxy server), a security device, an intrusion detection device, a load balancer, or a similar device. In some implementations, network device 220 may receive network rules and/or security rules and apply the rules to network traffic handled by network device 220. Additionally, or alternatively, network device 220 may perform other actions and/or processes on network traffic, including encryption, decryption, load balancing, security scanning, switching, routing, or the like. In some implementations, network device 220 may be a physical device implemented within a housing, such as a chassis. In some implementations, network device 220 may be a virtual device implemented by one or more computer devices of a cloud computing environment or a data center.
Network management device 230 includes one or more devices capable of receiving, generating, storing, processing, and/or providing information related to network entities. For example, network management device 230 may include a communication and/or computing device, such as a server computer, laptop computer, personal computer, mobile phone, handheld computer, tablet computer, router, gateway, switch, or similar device. In some implementations, network management device 230 includes or otherwise has access to network entity attribute data (e.g., stored by or otherwise accessible to network management device 230) that includes attributes relevant to network entities 210. Network management device 230 may also be able to communicate with network devices 220 (e.g., via network 240) in a manner enabling network management device 230 to provide one or more network devices 220 with network rules and/or security rules to be applied to network traffic associated with network entities 210. For example, network management device 230 may include an application enabling network management device 230 to push security rules to network devices 220 in a manner that causes the network devices 220 to apply the security rules to network traffic traversing the network devices 220.
Network 240 includes one or more wired and/or wireless networks. For example, network 240 may include a cellular network (e.g., a long-term evolution (LTE) network, a code division multiple access (CDMA) network, a 3G network, a 4G network, a 5G network, another type of next generation network, etc.), a public land mobile network (PLMN), a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a telephone network (e.g., the Public Switched Telephone Network (PSTN)), a private network, an ad hoc network, an intranet, the Internet, a fiber optic-based network, a cloud computing network, or the like, and/or a combination of these or other types of networks.
The number and arrangement of devices and networks shown in
Bus 310 includes a component that permits communication among the components of device 300. Processor 315 is implemented in hardware, firmware, or a combination of hardware and software. Processor 315 takes the form of a central processing unit (CPU), a graphics processing unit (GPU), an accelerated processing unit (APU), a microprocessor, a microcontroller, a digital signal processor (DSP), a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), or another type of processing component. In some implementations, processor 315 includes one or more processors capable of being programmed to perform a function. Memory 320 includes a random access memory (RAM), a read only memory (ROM), and/or another type of dynamic or static storage device (e.g., a flash memory, a magnetic memory, and/or an optical memory) that stores information and/or instructions for use by processor 315.
Storage component 325 stores information and/or software related to the operation and use of device 300. For example, storage component 325 may include a hard disk (e.g., a magnetic disk, an optical disk, a magneto-optic disk, and/or a solid state disk), a compact disc (CD), a digital versatile disc (DVD), a floppy disk, a cartridge, a magnetic tape, and/or another type of non-transitory computer-readable medium, along with a corresponding drive.
Input component 330 includes a component that permits device 300 to receive information, such as via user input (e.g., a touch screen display, a keyboard, a keypad, a mouse, a button, a switch, and/or a microphone). Additionally, or alternatively, input component 330 may include a sensor for sensing information (e.g., a global positioning system (GPS) component, an accelerometer, a gyroscope, and/or an actuator). Output component 335 includes a component that provides output information from device 300 (e.g., a display, a speaker, and/or one or more light-emitting diodes (LEDs)).
Communication interface 340 includes a transceiver-like component (e.g., a transceiver and/or a separate receiver and transmitter) that enables device 300 to communicate with other devices, such as via a wired connection, a wireless connection, or a combination of wired and wireless connections. Communication interface 340 may permit device 300 to receive information from another device and/or provide information to another device. For example, communication interface 340 may include an Ethernet interface, an optical interface, a coaxial interface, an infrared interface, a radio frequency (RF) interface, a universal serial bus (USB) interface, a Wi-Fi interface, a cellular network interface, or the like.
Device 300 may perform one or more processes described herein. Device 300 may perform these processes based on processor 315 executing software instructions stored by a non-transitory computer-readable medium, such as memory 320 and/or storage component 325. A computer-readable medium is defined herein as a non-transitory memory device. A memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices.
Software instructions may be read into memory 320 and/or storage component 325 from another computer-readable medium or from another device via communication interface 340. When executed, software instructions stored in memory 320 and/or storage component 325 may cause processor 315 to perform one or more processes described herein. Additionally, or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software.
The number and arrangement of components shown in
Input component 355 may be points of attachment for physical links and may be points of entry for incoming traffic, such as packets. Input component 355 may process incoming traffic, such as by performing data link layer encapsulation or decapsulation. In some implementations, input component 355 may send and/or receive packets. In some implementations, input component 355 may include an input line card that includes one or more packet processing components (e.g., in the form of integrated circuits), such as one or more interface cards (IFCs), packet forwarding components, line card controller components, input ports, processors, memories, and/or input queues. In some implementations, device 350 may include one or more input components 355.
Switching component 360 may interconnect input components 355 with output components 365. In some implementations, switching component 360 may be implemented via one or more crossbars, via busses, and/or with shared memories. The shared memories may act as temporary buffers to store packets from input components 355 before the packets are eventually scheduled for delivery to output components 365. In some implementations, switching component 360 may enable input components 355, output components 365, and/or controller 370 to communicate.
Output component 365 may store packets and may schedule packets for transmission on output physical links. Output component 365 may support data link layer encapsulation or decapsulation, and/or a variety of higher-level protocols. In some implementations, output component 365 may send packets and/or receive packets. In some implementations, output component 365 may include an output line card that includes one or more packet processing components (e.g., in the form of integrated circuits), such as one or more IFCs, packet forwarding components, line card controller components, output ports, processors, memories, and/or output queues. In some implementations, device 350 may include one or more output components 365. In some implementations, input component 355 and output component 365 may be implemented by the same set of components (e.g., and input/output component may be a combination of input component 355 and output component 365).
Controller 370 includes a processor in the form of, for example, a CPU, a GPU, an APU, a microprocessor, a microcontroller, a DSP, a FPGA, an ASIC, and/or another type of processor. As indicated above, a processor is implemented in hardware, firmware, or a combination of hardware and software. In some implementations, controller 370 may include one or more processors that can be programmed to perform a function.
In some implementations, controller 370 may include a random access memory (RAM), a read only memory (ROM), and/or another type of dynamic or static storage device (e.g., a flash memory, a magnetic memory, an optical memory, etc.) that stores information and/or instructions for use by controller 370.
In some implementations, controller 370 may communicate with other devices, networks, and/or systems connected to device 350 to exchange information regarding network topology. Controller 370 may create routing tables based on the network topology information, create forwarding tables based on the routing tables, and forward the forwarding tables to input components 355 and/or output components 365. Input components 355 and/or output components 365 may use the forwarding tables to perform route lookups for incoming and/or outgoing packets.
Controller 370 may perform one or more processes described herein. Controller 370 may perform these processes in response to executing software instructions stored by a non-transitory computer-readable medium. A computer-readable medium is defined herein as a non-transitory memory device. A memory device includes memory space within a single physical storage device or memory space spread across multiple physical storage devices.
Software instructions may be read into a memory and/or storage component associated with controller 370 from another computer-readable medium or from another device via a communication interface. When executed, software instructions stored in a memory and/or storage component associated with controller 370 may cause controller 370 to perform one or more processes described herein. Additionally, or alternatively, hardwired circuitry may be used in place of or in combination with software instructions to perform one or more processes described herein. Thus, implementations described herein are not limited to any specific combination of hardware circuitry and software.
The number and arrangement of components shown in
As shown in
In some implementations, the network entity data be obtained or may have been previously obtained in a variety of ways. For example, network management device 230 may have previously requested network entity data from network entities 210 and/or other devices in communication with network entities 210, such as network devices 220. In some implementations, network entities 210 may include some of the network entity attributes in network traffic provided by the network entities 210, which may enable network management device 230 (e.g., using network devices 220) to obtain network entity attributes using network traffic monitoring (e.g., identifying network entity attributes that may be included in header data of network packets transmitted to or by network entities 210). In some implementations, the network entity data may be provided by a third party, such as a third party device designed to obtain network entity attributes, a network administrator, or the like. In some implementations, network management device 230 may derive one or more network entity attributes from other data associated with network entities 210. For example, based on an IP address associated with a network entity, network management device 230 may determine a geographic location associated with the network entity 210 and a host device associated with the network entity 210 (e.g., by querying the network entity 210 or requesting data from a database storing information associated with the network entity 210).
In this way, network management device 230 may receive network entity data indicating network entity attributes associated with network entities 210, enabling network management device 230 to generate a map of network entities 210 based on the network entity data associated with the network entities 210.
As further shown in
The relationships between network entities 210 may be identified and included in the map in a variety of ways. For example, relationships between entities may depend upon the network entity attributes available, default relationships identified by network management device 230, and/or relationships specified by a third party, such as a network administrator.
In some implementations, network management device 230 may include or otherwise have access to information defining a set of default relationships. For example, network management device 230 may be preconfigured to identify particular relationships and to include the particular relationships in a map of network entities. For example, a common relationship between network entities may include a shared host, and network management device 230 may automatically include, when generating the map of network entities, information identifying which network entities 210 included in the map have a shared host (e.g., assuming information identifying the host of a network entity 210 is included in network entity data). As another example, network management device 230 may automatically include, when generating the map, information identifying which network entities 210 are associated with the same organization and/or department within an organization.
In some implementations, network management device 230 may include, in the map of network entities, data identifying a relationship between entities that is based on information specified by a third party. For example, a network administrator may instruct network management device 230 to include, in the map, data identifying which network entities 210 have the same parent application, data identifying which network entities 210 are associated with the same user group, or the like.
The map may be implemented in a variety of forms. In some implementations, the map may be stored in a data structure enabling lookup, retrieval, modification, or the like. For example, the network management device 230 may store the map in a database of network entity relationship information. This may enable, for example, network management device 230 to obtain, for any given network entity 210, relationship information defining the relationships the given network entity 210 has with each other network entity 210 for which data is included in the map. In addition, network management device 230 may make changes to the map, enabling the map to remain updated with relevant attributes and relationship information. The map may be stored locally (e.g., by network management device 230) or at a remote location, such as a remote network storage device.
In this way, network management device 230 may generate a map of network entities based on the network entity data associated with the network entities 210, enabling network management device 230 to have access to data defining relationships between network entities 210. Access to data defining relationships between network entities 210 may facilitate, for example, the creation of network entity relationship rules that can be applied to network traffic associated with network entities 210.
As further shown in
The content of a network rule may vary. In some implementations, a network rule includes criteria for matching traffic information, and one or more security actions to be performed when the network traffic matches the criteria. The criteria for matching traffic information may include information identifying at least one relationship associated with one or more of the network entities 210. The relationship(s) may be identified from the map of network entities. For example, a network criteria that includes only one network relationship may be “source user_group is network_administrators,” indicating that a network rule using that criteria should be applied to all network traffic where the source of the network traffic is associated with a network entity 210 in the user group named network_administrators, which may be associated with one or more network entities 210. As another example with four criteria, an example network rule may specify the following relationships: “(source type is app_component AND destination type is app_component) AND ((source app_component AND destination app_component) belongs to parent application).” A network rule using the foregoing network entity relationships as criteria may be applicable to, for example, network traffic between application components where both the source and destination application components are part of the same parent application.
The security actions specified by network rules may also vary. Security actions may include, for example, permitting network traffic, logging network traffic, blocking network traffic, flagging network traffic, quarantining network traffic, storing network traffic for further analysis, or the like. As described below, the security action(s) define the action to be taken when network traffic matches the criteria specified by the network rule.
In some implementations, network rules may include additional information (e.g., information not related to relationships between network entities 210) that may cause the network rule to be applied in certain ways or cause the network rule not to be applied in some situations. For example, a network rule may include conditions for activating the rule that depend on the type of network traffic, communications protocol being used, or the like. Additionally, or alternatively, network rules may include information regarding applicability to certain subsets of network devices 220 (e.g., limiting the application of a network rule to firewall devices in a particular datacenter). Other information may also be used, in addition to or alternatively to relationship information, in network rules.
In some implementations, the network rules may be generated by network management device 230. For example, network management device 230 may automatically determine, based on relationships identified in the map of network entities, network rules that may be applicable for the corresponding network entities 210. By way of example, based on historical network rules used for other networks and/or by other network management devices, network management device 230 may generate one or more network rules specifying that network traffic with network entities 210 associated with a particular country (e.g., a country associated with network security risks) be logged. In some implementations, network management device 230 may have default rules, or preconfigured rules, that may be used to generate network rules in situations where the corresponding relationships exist between network entities 210. For example, network management device 230 may have a default rule that results in creation of a network rule based on the generation of a map that includes data identifying a user group relationship between network entities 210 (e.g., a network rule permitting network communications between network entities 210 that are associated with the same user group).
In some implementations, network rules may be identified based on input provided by a third party. For example a network administrator in communication with network management device 230 may provide a network rule. For example, a network administrator may provide network management device 230 with data causing network management device 230 to implement a network rule that causes network traffic to be permitted between network entities 210 that are components of the same application. In some implementations, the third party may be a third party network rule provider that generates network rules for particular types of network entities 210 and/or relationships between network entities 210. In this situation, network management device 230 may obtain network rules from the third party network rule provider.
In this way, network management device 230 may identify a network rule based on the map of network entities, enabling network management device 230 to take one or more actions based on the network rule.
As further shown in
For example, in some implementations, network management device 230 may prompt a user for input regarding the network rule. In this situation, network management device 230 may cause display of information regarding confirmation or modification of one or more network rules identified by network management device 230. For example, network management device 230 may cause display of a user prompt to a network administrator (e.g., delivered directly from a peripheral of network management device 230 and/or to a separate device associated with the network administrator), the user prompt requesting confirmation of one or more network rules, enabling the network administrator to approve application of the network rule(s) (e.g., with or without modifications).
In some implementations, network management device 230 may translate the network rule into one or more security rules. For example, using the map of network entities, network management device 230 may generate security rules from the network rule. By way of example, the network rule may specify matching criteria (in terms of network entity relationships) that maps to several network entities 210 for which relationship information is included in the map. For the network entities 210 that match the criteria, network management device 230 may generate one or more security rules. Firewall rules, for example, are a type of security rule that may include a source device identifier (e.g., a source IP address), a destination device identifier (e.g., a destination IP address), and an action to be taken on network traffic matching the source and destination device identifiers (e.g., actions, such as permit, hold, block, log, or the like).
Using the specific example network rule above, with the matching criteria being “source user_group is network_administrators,” network management device 230 may identify each network entity 210 that corresponds to that criteria (e.g., by identifying network addresses of each network entity 210 that belongs to the user group named network_administrators, specified in the map of network entities). Assuming that three network entities 210 match the foregoing criteria, network management device 230 may translate the network rule into three security rules (e.g., each security rule permitting network traffic where the source matches one of the network addresses identified as being associated with the network_administrators user group). Using the other specific example network rule above, with the matching criteria being “(source type is app_component AND destination type is app_component) AND ((source app_component AND destination app_component) belongs to parent application),” network management device 230 may identify each network entity 210 that corresponds to the foregoing criteria (e.g., by identifying network addresses of each network entity 210 that is an app_component). Assuming two network entities 210 are of the type app_component (e.g., as specified in the map of network entities), and that both of the network entities 210 also belong to the same parent application, network management device 230 may translate the network rule into two security rules (e.g., one security rules for each of the two network entities 210 specifying, for example, that network traffic between the two network entities 210 should be permitted).
In some implementations, network management device 230 may apply the network rule to one or more network devices 220. In some implementations, network management device 230 provides the network rule to one or more network devices 220 (e.g., via network 240), enabling network devices 220 to apply the rules. Providing a network rule to network devices 220 may be performed, for example, in a situation where network devices 220 are capable of applying the network rule (e.g., by translating the network rule into one or more security rules and/or by applying the network rule directly with access to the map of network entities to enable network entity lookup). In some implementations, network management device 230 translates the network rule into one or more security rules prior to providing the security rules to one or more network devices 220. In this situation, network devices 220 may receive security rules in a manner and format designed to enable network devices 220 to directly apply the security rules to network traffic.
In some implementations, network management device 230 may update one or more security rules based on a change associated with one or more network entities 210 or corresponding network entity attributes. For example, in a situation where a network entity 210 is added to or removed from network 240, and the network entity 210 matches criteria of an existing network rule, network management device 230 may generate additional security rules applicable to an added network entity 210, or remove security rules applicable to a removed network entity 210, and provide the updated security rules to network entities 210 that use the updated security rules. Using the specific example network rule above, with the matching criteria being “(source type is app_component AND destination type is app_component) AND ((source app_component AND destination app_component) belongs to parent application),” adding a network entity 210 that meets this criteria may result in the creation of four new security rules, for a total of six security rules applicable to the three corresponding network entities 210 (e.g., bidirectional security rules between the three network entities 210).
In some implementations, network management device 230 may update one or more security rules based on a change associated with a network rule. For example, a change in the criteria for matching a network rule may potentially affect a large number of security rules and/or network devices 220. In this situation, network management device 230 may provide network devices 220 with updated network rules and/or updated security rules determined by translating the changed network rule.
As noted above, network management device 230 may perform other actions based on the network rule, in addition to or as an alternative to the actions described above. In this way, network management device 230 may perform an action based on the network rule, enabling the management of network traffic based on network rules derived from relationships between network entities 210.
Although
In this way, the ability for network management device 230 to generate a map of network entities and enable creation of network rules may greatly simplify the understanding of security rules in use by network devices 220 and greatly reduce the number of security rules that are manually entered and managed. In addition, network rules may automatically handle security rule updates and changes in situations where network entities 210 change (e.g., the addition and/or removal of a network entity 210 from the network), as network rules may be defined in a manner that includes or excludes network entities 210 that are added or removed based on their network attributes and relationships with other network entities 210. Furthermore, changes to a large number of security rules may be implemented by changing a single network rule. Resources, including computing resources and human administrator resources, may be conserved by using network management device 230, e.g., by reducing the amount of time, power, processing resources, memory resources, and/or the like, which might otherwise be used when a network administrator manually manages security rules.
The foregoing disclosure provides illustration and description, but is not intended to be exhaustive or to limit the implementations to the precise form disclosed. Modifications and variations are possible in light of the above disclosure or may be acquired from practice of the implementations.
As used herein, the term component is intended to be broadly construed as hardware, firmware, and/or a combination of hardware and software.
It will be apparent that systems and/or methods, described herein, may be implemented in different forms of hardware, firmware, or a combination of hardware and software. The actual specialized control hardware or software code used to implement these systems and/or methods is not limiting of the implementations. Thus, the operation and behavior of the systems and/or methods were described herein without reference to specific software code—it being understood that software and hardware can be designed to implement the systems and/or methods based on the description herein.
Even though particular combinations of features are recited in the claims and/or disclosed in the specification, these combinations are not intended to limit the disclosure of possible implementations. In fact, many of these features may be combined in ways not specifically recited in the claims and/or disclosed in the specification. Although each dependent claim listed below may directly depend on only one claim, the disclosure of possible implementations includes each dependent claim in combination with every other claim in the claim set.
No element, act, or instruction used herein should be construed as critical or essential unless explicitly described as such. As used herein, the term “or the like” is intended to be inclusive (e.g., as in “and/or the like”), unless explicitly stated otherwise. Also, as used herein, the articles “a” and “an” are intended to include one or more items, and may be used interchangeably with “one or more.” Furthermore, as used herein, the term “set” is intended to include one or more items (e.g., related items, unrelated items, a combination of related and unrelated items, etc.), and may be used interchangeably with “one or more.” Where only one item is intended, the term “one” or similar language is used. Also, as used herein, the terms “has,” “have,” “having,” or the like are intended to be open-ended terms. Further, the phrase “based on” is intended to mean “based, at least in part, on” unless explicitly stated otherwise.
Nimmagadda, Srinivas, Manocha, Rakesh
Patent | Priority | Assignee | Title |
11716311, | Nov 24 2020 | GOOGLE LLC | Inferring firewall rules from network traffic |
Patent | Priority | Assignee | Title |
6484261, | Feb 17 1998 | Cisco Technology, Inc | Graphical network security policy management |
6917596, | Nov 08 2000 | CIENA LUXEMBOURG S A R L ; Ciena Corporation | Method of addressing physical problems of a topological network using a topology engine |
7146639, | Jan 29 1999 | Lucent Technologies Inc. | Method and apparatus for managing a firewall |
8607300, | Jul 18 2006 | Genband US LLC; SILICON VALLEY BANK, AS ADMINISTRATIVE AGENT | Network security policy mediation |
9680875, | Jan 20 2015 | Cisco Technology, Inc | Security policy unification across different security products |
20020154606, | |||
20040117624, | |||
20060090208, | |||
20060177063, | |||
20070189307, | |||
20140029031, | |||
20140075519, | |||
20150033285, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 11 2017 | Juniper Networks, Inc. | (assignment on the face of the patent) | / | |||
Dec 11 2017 | NIMMAGADDA, SRINIVAS | Juniper Networks, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 044367 | /0409 | |
Dec 11 2017 | MANOCHA, RAKESH | Juniper Networks, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 044367 | /0409 |
Date | Maintenance Fee Events |
Dec 11 2017 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
Oct 19 2023 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Date | Maintenance Schedule |
May 05 2023 | 4 years fee payment window open |
Nov 05 2023 | 6 months grace period start (w surcharge) |
May 05 2024 | patent expiry (for year 4) |
May 05 2026 | 2 years to revive unintentionally abandoned end. (for year 4) |
May 05 2027 | 8 years fee payment window open |
Nov 05 2027 | 6 months grace period start (w surcharge) |
May 05 2028 | patent expiry (for year 8) |
May 05 2030 | 2 years to revive unintentionally abandoned end. (for year 8) |
May 05 2031 | 12 years fee payment window open |
Nov 05 2031 | 6 months grace period start (w surcharge) |
May 05 2032 | patent expiry (for year 12) |
May 05 2034 | 2 years to revive unintentionally abandoned end. (for year 12) |